Data Brokers and Telephone Records

With so much focus on the National Security Agency's monitoring and analysis of telephone records to catch terrorists, it's easy to overlook that these records have been accessed for years by "data brokers."

This year has brought an outpouring of legislative activity aimed at protecting the privacy of such records. Most recently, Congress began hearings on the ability of data brokers to collect Americans' private telephone records without the knowledge or consent of the affected person. In May, the Federal Trade Commission sued one broker, alleging a violation of the Telecommunications Act of 1996, which states that consumers' phone records are private property. This year alone, 11 states have enacted laws protecting such information, and most other states have such legislation pending.

Given the scope of activity on this issue, it is clear that such disclosures have hit a nerve with the American public. What isn't clear to many, however, is what information is being disclosed, how the data brokers can generate it and, finally, who is so interested in finding out my calling history?

Under Section 222 of Title 47 of the U.S. Code, every telecommunications carrier in the United States has a duty to protect the privacy of "customer proprietary network information." This term, usually shortened to CPNI, means any information that relates to the use of a telecom service by a consumer made available to the carrier by virtue of its relationship with the consumer.

Normally sought after by investigators pursuant to a lawful search warrant in a criminal investigation, such information provides a "telecommunications fingerprint" that can point to accomplices, undo alibis and even, in the case of mobile service, provide information about a suspect's location at a given time. It also can come in handy in a divorce trial, and this use, along with many others, is the source of the recent spate of legislative action.

There are three main methods to procure the information. The first, and most widespread, is called "pretexting," which requires merely a telephone call and a little acting ability. Under this practice, the data broker contacts the telephone company and seeks a subscriber's phone records by pretending to be the subscriber. By having a few details (phone number, Social Security number, date of birth), data brokers can collect this information with an alarmingly high rate of success.

The FTC gave a good summary of pretexting in its May enforcement action: "defendants have used, or caused others to use, false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier, to induce officers, employees, or agents of telecommunications carriers to disclose confidential customer phone records."

Telephone record information also can be accessed via hacking, which has become more common with the increase in subscribers who manage their accounts online. The last method to access phone records is simple bribery: What it lacks in finesse it more than makes up for with reliability.

Of course, no industry can survive without customers. And for data brokers who deal in telephone records, these customers need to be of the "no questions asked" variety. According to experts in the field, the vast majority of telephone records are purchased by attorneys, private investigators, skip tracers, debt collectors and the news media. One of the more dramatic uses for such information is to prove infidelity in a divorce case, but phone records are used mainly to track people for debt collection and pursuant to a private investigation.

Section 222 of Title 47 of the U.S. Code puts the responsibility for maintaining the confidentiality of telephone records squarely on the telephone carriers. The new laws, however, create criminal and civil penalties for individuals who fraudulently gain access to the records.

For those who might be less than alarmed at the prospect of having unknown people view their telephone records, remember that this is only one skirmish in the larger privacy war. The recent focus on phone record protection soon will move on to renewed focus on the protection of financial transaction data - once again, fueled at least partly by revelations concerning terrorism investigations. (How many people had, until recently, even heard of the international "SWIFT" money-transfer database?)

Complex economies demand the massive aggregation of personal data, which in turn requires ever-more sophisticated means to protect it. We are only now beginning to witness the changes that need to be made in our institutions, our laws and our daily lives to confront this new data frontier.